HARDWARE HACKING VILLAGE - Beacons will give you up

Video thumbnail (Frame 0) Video thumbnail (Frame 600) Video thumbnail (Frame 2766) Video thumbnail (Frame 3898) Video thumbnail (Frame 5854) Video thumbnail (Frame 16999) Video thumbnail (Frame 17954) Video thumbnail (Frame 18742) Video thumbnail (Frame 19483) Video thumbnail (Frame 20950) Video thumbnail (Frame 21980) Video thumbnail (Frame 24948) Video thumbnail (Frame 26149) Video thumbnail (Frame 27546) Video thumbnail (Frame 29750) Video thumbnail (Frame 30932) Video thumbnail (Frame 32035) Video thumbnail (Frame 32774) Video thumbnail (Frame 37883) Video thumbnail (Frame 39806)
Video in TIB AV-Portal: HARDWARE HACKING VILLAGE - Beacons will give you up

Formal Metadata

HARDWARE HACKING VILLAGE - Beacons will give you up
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Programmer (hardware) Multiplication sign Hand fan
Gateway (telecommunications) Programmer (hardware) Momentum Range (statistics) Archaeological field survey Code Convex hull Moving average Bit Microcontroller Information security Formal language
Randomization Code Multiplication sign Execution unit 1 (number) Set (mathematics) Mereology Computer programming Programmer (hardware) Semiconductor memory Different (Kate Ryan album) Analogy Set (mathematics) Cuboid Error message Information security Physical system Personal identification number Touchscreen Software developer Electronic mailing list Maxima and minima Category of being Proof theory Order (biology) output Moving average Whiteboard Resultant Laptop Point (geometry) Slide rule Game controller Microcontroller Student's t-test Computer Code Power (physics) Revision control Prime ideal Goodness of fit Intrusion detection system YouTube Module (mathematics) Multiplication Dialect Projective plane Voltmeter Total S.A. Euler angles Frame problem Integrated development environment Software POKE Video game Library (computing)
Point (geometry) Laptop Type theory Gradient Multiplication sign Simultaneous localization and mapping Graph (mathematics) Port scanner Line (geometry) Mereology Freeware Product (business)
Revision control Web crawler Semiconductor memory 1 (number) Computer Window Computer programming
Point (geometry) Web crawler Error message Auditory masking Multiplication sign Closed set Boom (sailing) Line (geometry) Theory
Point (geometry) Zoom lens Semiconductor memory Multiplication sign Image resolution Software testing Process (computing) Cartesian coordinate system Resultant
Web page Email Game controller Flash memory Insertion loss Computer programming Power (physics) Hooking Term (mathematics) Authorization Electronic visual display Spacetime Physical system Personal identification number Touchscreen Sine Web page Sampling (statistics) Plastikkarte Total S.A. Bit Type theory Whiteboard Reading (process) Spacetime
Multiplication sign Right angle Timestamp Frame problem
Point (geometry) Frame problem Server (computing) Serial port Computer file Multiplication sign Execution unit Flash memory Adaptive behavior Sheaf (mathematics) ACID Open set Computer programming 2 (number) Finite element method Peripheral Semiconductor memory Computer hardware File system Interface (computing) Projective plane Voltmeter Limit (category theory) Frame problem Computer hardware Sheaf (mathematics) Right angle Family Spacetime
Mobile Web Frame problem Mobile Web Sampling (statistics) Price index Line (geometry) First-person shooter Entire function Computer programming Repeating decimal Sic Integrated development environment Software Boom (sailing) Library (computing) Library (computing)
Medical imaging Axiom of choice Chemical equation Twitter
Point (geometry) Axiom of choice Demo (music) Multiplication sign Moment (mathematics) Execution unit Electronic mailing list Bit Mereology Steganography Frame problem Information privacy 2 (number) Mathematics Internetworking Radio-frequency identification Collision Wireless LAN Family Dean number Window
Point (geometry) Mobile Web Gateway (telecommunications) Execution unit E-book Gateway (telecommunications) Decision theory Structural load Multiplication sign Decision theory Range (statistics) Cellular automaton Division (mathematics) Survival analysis Microcontroller Mereology Microcontroller Type theory Hooking No free lunch in search and optimization Game theory Library (computing) Scalable Coherent Interface
Code Multiplication sign Code Plastikkarte
hey everybody welcome to DEFCON I know you guys already here for me this is my first time speaking in front of everybody here so this is pretty much an honor slash dream come true I'm kind of a fan boy so not that hard technical I'm just a programmer but anyways so today my talk is about Wi-Fi beacons will give you up and the beacon a derp here so the
beacon a derp is pretty fun it's just put it together it's basically esp8266 --is but instead of just one or two it's about 57 of them so I'll get to more about that later on the talk but basically I'm a programmer and I've done a bunch of things you could say sometimes they're potato and sometimes potato things but you know we're not talking about a low-level stuff here at all I'm much more of a working at higher-level languages still getting into more security stuff I know enough tried to get myself into a lot of trouble try not to do that so this is the basic agenda so I'm gonna go over ESP to sixes in general then I'm gonna Rick roll everybody and show you how to roll your own real quick then I'll show you a survey of a bunch of stuff you can do with esp8266 --is and show off the beacon ater towards the end and the beacon and I've been working on for a while it's germinated last year but it took me a while to actually bring it to fruition so basically esp8266 --is are a bit like a gateway drug to microcontrollers chances are some for some of you your first one is free with a badge
so rickroll okay one sec right now I'm firing it up so if you have a Wi-Fi device nothing I'm doing here is gonna do anything bad to you guys because I'm more afraid of generic you than I am an asshole so over all right now pretty soon this is gonna pop up on your Wi-Fi and throughout the talk I'll turn on some more stuff in a little bit I may not turn on the whole top range because it's a little bit powerful but if you want a quick thing for just Rick rolls you know and this is basically the impetus of me getting into the esp8266 is because it's just fun and
so basically to roll your own it's pretty simple I mean this is like really broken down here but you just need a esp8266 unit which is a Wi-Fi module the code for the role which I'll have posted Wednesday but there's a bunch of them on github if you just search for github esp8266 rickroll a bunch of people have Rick rolls up there so feel free to use mine somebody else's whatever and to basically to run it you've got to have something that programs the esp8266 which I tend to use our Dino IDE a because I don't have experience with the other ones they may be better so you know your mileage may vary this then if you want it portable not just stuck underneath somebody's desks so whenever their computer on they have all these access points gotta have a little battery cable all that stuff but once you get that set up it's not too bad if you've never set up Arduino IDE before you may have to Google a few steps regarding esp8266 is because you've got to add libraries to it to preferences for it to actually pull up and build and compile and push on there I'm just giving it out for the new people if you've totally familiar with it you know it's for the new people I was new to not that long ago so this
is the part where I have a villain exposition part because I've got a lot of stuff to get through and I didn't make enough slides here for this part but so the esp8266 is basically a physical manifestation of a minimally viable Wi-Fi controller board and I was first exposed to it back in cactus con two years ago in Phoenix I was fascinated that a programmable Wi-Fi micro controller system could be made so small and affordable and like all good con goers I got home I promptly put it in a bag box and forgot about it but I did do one cool thing after the convention I got online and I ordered a few of them because I wanted to do something with RGB LEDs I do light box photography on the side so I wanted to have a feel that these light boxes setup and control with a laptop which is awesome but unfortunately it turned out that life everything kind of got in the way so I never really had a chance to do that so last year before Def Con I was looking at all the stuff I had for the previous conventions and I saw the esp8266 and I was like dude I wonder what I can do with this so I looked up online projects on github and within the top 20 projects at the time was rickroll so I looked up brick roles and found it and the guy used was mark zaz beau ma RK s Z ABO he has a thing called fake beacon the esp8266 he's a security student over in Europe and I used his github as a reference point for a lot of this stuff I was doing with this thing so you know I have the the github download and everything and a short order I got it working yeah Rick rolls but honestly it took me longer than I'd like to admit professionally that to get Arduino up and running because it was my first time with Arduino by myself so you know Google YouTube it wasn't too bad it was just your basic Google foo of hey I've got an error message what do I do it's not too bad and part of it too is I never really did experimenting with these things until I was really tired late at night because after doing all the other stuff so I was like you know not not always in the right mind when I do some of these things so ESP two sixes themselves they're made by a company called expressive I mean they make the ITP the intellectual property and licenses it out to different companies to make it so overall there's multiple different companies that produce different versions of this and with those different versions some of them are optimized for cost memory size some have more pin outs like note MCU ones have 30 pins and we most boards haves like 16 pins and some USB development boards there's some boards have a USB port on them the one up here on the screen here that doesn't have a USB micro controller part so you've got to get like of CUA a speed a serial programmer to actually / code that now the flip side is once you have that done this is smaller and lower power etc so you know there's always kind of a yin-yang now there's also a really neat thing with these esp8266 --is is that there's a lot of things called shields if you're not familiar with the shield because I assumed someone somewhere watching this will isn't it's basically a little board that sits on top of it or underneath depending that with that you can actually break out and do other stuff and attach cool things to it so like there's relay boards there's micro sd boards there's soil temperature sensors there's humidity sensors there if the list kind of goes on there's a lot of stuff out there and this is not a pretty common device so if you look up a project with ESB - six sixes chances are somebody's done something and you can learn from their mistakes or just ripoff of what they did which is not rip but riff so that's pretty cool so with these pin outs sorry a few of the pin outs are reserved for programming so you can't use all the pins if you want to be able to use it later and most of them have an analog i/o pin which basically means it can read voltages between 0 and 1 volts so you can have like a rheostat or a trim pot hooked up to a voltage step down so you can actually read the dial which is kind of cool but you have to write the code for that which you know as always that now I haven't done too much with the relays and stuff yet but you can do some pretty neat stuff with them so if you got enough conventions you probably have esp8266 is hanging around in your badge bag on the badge alternatively you can buy them on Amazon Prime for cheap I'm not too cheap but you know under 10 bucks delivered and eBay you can get them on a slow boat from China for under 4 or 5 bucks depending on what you want to do now in quantity like what I'm doing it's having something cheap adds up when you're doing a bunch of it so depending on what you want to do with them I don't have empirical proof but the note MCU boards tend to be less power-hungry than the Wii most chips and later on I can show you what they look like up here on the device but so what I got hooked on was that last year I def bunch of people at the con and I broadcasted some SS IDs which was pretty fun so with SS IDs it's basically when you open up your phone and look at the available Wi-Fi networks that's just the access points so what these are doing is just broadcasting just the beacon frame of the Wi-Fi access point not actually responding to any other results so you see all these access points but you can't actually connect to them or do anything to them so that's pretty fun because there's nothing like having something that looks malicious that you can't connect you but that's just me and what I did is I just basically had it in a little ziploc bag put it together and just with the USB powered and I kept that in my backpack the whole convention it was fun people are like you check the Wi-Fi and I was like gasps I have but that's me kind of bragging on myself there but so technicalities so one thing I found of these ESP two six sixes if you want to advertise a persistent set of Wi-Fi SSIDs with randomized max I had to stick between 13 and 17 total access points per board to have it stable when you pull up your phone because you have to broadcast some beacon frames often enough for a computer to pick it up and my codes not perfectly optimized because I borrowed other people's and honestly I'm just like a little gorilla with the code sometimes just going poke poke poke what happens so that was pretty funny which led me just idea I had which is well if you have a couple of these things what happens if you have a bunch of them you broadcast so if you haven't
heard of it this Wi-Fi mapper eka whose Wi-Fi mapper they have it's like a laptop based product it's free you can get it download and install it and it generates really beautiful pretty picture graphs and charts which is pretty much the most important thing when you're talking to business just say hey I need three more access points over here you can do the work with this mapper and show them that yeah this red part here that's bad we need to have more access points or change the channels that type of thing but you know for personal use it's free so that's pretty cool so what I did is this is the
baseline scan of my house and some of it's been redacted for obvious reasons I mean you know but so basically the line in the middle near the top that's where I set in the scanner that I was walking around my house so each of those is a point in my house and that's just what the scanner looks like it actually was run on this laptop at the time which is pretty cool but I found out something fun is that when I did with 14 early
beacon aiders a previous version of this one's on the top here I had those running I ran the Wi-Fi scanner and something fun happened
tada windows slow to a crawl and the program crashed it just didn't want to do anything so after that I basically decided not to be a complete tool and I restarted the computer fresh so I don't have any memory issues it's not a super vast computer here so going again I was
like huh well I did the restart here and then
boom so what happened was you can't really see much here but that little thing in the middle was all the data I was able to connect collect because it just wouldn't it just slowed to a crawl there's so many little things happening as I was walking along you can barely see it but there's that green line has little striations I don't each of those striations is an access point so in theory you could use a bunch of beacons like this to mask other attacks or to be a red team and just kind of make a squib squawker and see if anybody notices on the blue team that hey there's 24 access points really used to be - he goes investigate and you can do that based off of one little thing that fits in the palm of your hand in a battery it's it's pretty cool so a close up you know it took a long time it
literally took about ten minutes from the time I turned off the beacon Eider before actually the results were able to show up in here in the application caught up to it and it's java-based which isn't bad but you know Java memory but it's multi-platform so I zoomed in
and enhanced it but enhancing doesn't work because it's not the best resolution but each of those striations is basically a access point which is pretty cool and that's just with basically a third of what's here on the top if I had a fully running which I haven't had a chance to test yet that would be pretty fun so with esp8266 is
you can do things like a deaaath space hyung develop the esp8266 Wi-Fi D author which is neat but I just don't really feel like it's kind of a dick move and it's not really something I want to do but really cool stuff that you can build in terms of just craziness is you can build like IOT relay devices you can use these devices to hook up to like your garage door so you get close to your house connect to your Wi-Fi hit a button and pop your garage you do hook him up to power strips long garden sprinkler systems one guy did a tea kettle so he's sitting in bed has a t-coil ready to go pops open his phone and just logs into his tea kettle and hits button and it starts up the tea kettle so he can get his tea started without being him out of bed you can do the same thing with coffee and with a soil sample or soil sensors in there you can also do like hook up your own grow house for you know vegetables that type of thing I you wouldn't want to usually use to control is they don't have a ton of power but you could use it to monitor every plant for under or every pot for every probably under 15 bucks total if he didn't buy things in bulk which per you know that's pretty reasonable price for tomatoes but it's amazing the stuff you can do with it like if you wanted to build your own Christmas light display you could have a Wi-Fi power with these guys with little the mains power runnin the ESP to six sixes or lose power even have to worry about battery just doing a little relay I've got a board relay I can show you guys actually it's I'm sorry I have a board to relay at home I could show you guys but basically you see what it really it looks like it just fits on a little shield that goes on it or you can wire up it yourself to it it's pretty cool so the limitations of
ESP to six sixes is well it's single threaded so it's limited to do about a Meg of program space and then on top of that you have some flash memory you can access but it's not stupid easy yeah I have to actually do a little bit of work and then the other thing with these is the reading and writing from the micro SD cards is a bit slow it's probably me but I had the pin out I had the text coming from serving like a webpage serving from the micro SD card and I was watching the tech scroll and refresh and it was just painful to watch the text show up on the screen so that was kind of funny now it could totally be me and there may be ways to serve it quickly for micro SD cards but they're I think they're better suited for logging so you could use it like for a logging system
but one thing I noticed which is kind of interesting is that something was missing so when I was working on this I could show things up in my phone right but I couldn't find anything in Wireshark so basically what I had to do right here is well it's kind of small to see but I had to set the time when you turn an esp8266 on it has an internal timer from the time it turns on I'm not familiar with how to actually change that timer so you probably have to mod the like add the value to that to actually adjust the time but with that timer it gives you a timestamp which is awesome because in the beacon frame which is pretty long one of those slots is for the time without that timestamp being populated you're gonna end up with basically it not showing up in a Wireshark at least the way I had it configured so this is the beacon a derp
lit up and with the beacon a derp it's
in two sections the big section in the smaller section so in the smaller section it's got a rickroll unit it's got a couple project Trevor units so in about 10-15 seconds you can look at your Wi-Fi you should see some interesting Wi-Fi access points available when I say available they're not really available they're just there but one cool thing about them is I do have for book servers on there where they're connected to Def Con open right now and because of that you can find them and actually download little brother and some other books on there but the reason able to do that even though there's a Meg program limitation space and the files are bigger than a meg is that there's a thing called spiffs now not spliff but spiffs it's called serial peripheral interface flash file system which is a mouthful but it basically allows you to put the files in the leftover memory after you've programmed the device you have to download a tool from github to do this but it's pretty cool so you're limited to about three Meg's of space on it which is pretty
neat but overall on this thing too it's got an aluminum frame the battery in here is AGM gel at lead acid which is 110 and because of time and skill I just have it running at 110 dropping down to 12 volts through some anchor adapters in a perfect world I would put lithium-ion batteries in here because this thing's heavy but I did add wheels which is pretty cool and overall with this thing the hardware is pretty nice but I got the harder at the hardware store so the frame is just some aluminium stuff stock and different things here and it's
ungainly but I can wear it if I have to and the software for the bikaner is pretty basic so what I did is that basically tinkered with a sample Arduino IDE program that had that could do exactly what I wanted to do and use Python to go through and basically tag on the body of the program and dish tag on like 2,800 lines of beacons per sample so to go through and create Arduino sketch for every twenty eight hundred samples oh it's running which is pretty neat and I'll be posting that here after the convention and so with
the mobile book library it's basically just electronic only there's just four of them running right now and thanks to the Gutenberg library for bee basically surprising surprise supplying free books for me to use so the first
book I put on there was Frankenstein because I mean why not and I also have to give a shout out to foon on Twitter because he wrote the Sierra Death generator which I used to generate these images and the second one I put on there
is Alice in Wonderland and because you know Alice and Bob I had
to and for the fun of it I put on and Sherlock Holmes you know now I could have put it if I had enough time I could have done some steganography and messed with people a little bit but I didn't
have enough time and of course I put on little brother because I mean why not so overall here on the top part I'm about to plug it all in here for a second I'm this hasn't been running at all each it'll pump out every six seconds it pumps out a hundred and thirty thousand beacon beacon IDs a second or not every six seconds and back in the napkin math it works out to be about a million beacons wireless access points get advertised every minute and because each beacon consists of two frames it's actually pumping about two million frames a minute which is fun and the reason I know this is because is because every six seconds or so these suckers will light up and let me just double-check the demo God's not smiling one second sorry okay so now we're rocking and rolling so pretty soon you're gonna see a few Wi-Fi access points on your phone it's probably gonna take 30 seconds to a minute for all of them to spin up right now if you're running just 802 1b you may have problems with the internet it may be getting a little bit slow it's not dealing anything it's basically a bunch of people in a room shouting really loud going hey I've got a Wi-Fi access point I've got a Wi-Fi access point 130,000 times every six seconds just for the fun of it now I don't run that thing everywhere because I don't want to be a complete complete dick on it but so the way I know that how many it's running is because I have a list of about 2900 each one of these forty four units on the top here and from that list I turn the LED on at the start and every time it hits the start of it it toggles the LED light so if you're running like Wireshark right now you might be seeing a few beacon frames if you have your beacons enabled and what shows up here on your phone isn't actually all the beacons available it's just what your phone can actually capture at the moment and there's also a bunch of RFID collision or radio collision because of that so this is much more of like a cool toy than it is actually something you could use overall like in the package it is in it's just more like a fun experiment but for possible future uses
you know I've thought of maybe making a making this thing into a big open library where have it broadcast all these access points in each access point it's a book that you can connect to and have a whole bunch of books like you just have like a mobile electronic book library which you know I thought was kind of fun thought maybe you doing like a route map beacon Eider so you have a load of route map if you want to share with some friends that just share within a Wi-Fi range so they can connect to it and see what's going on and also a thought maybe a survival beacon a tour you can hook up a solar cell to it and actually run a bunch of stuff with like survival manuals and that type of thing but so impractical it's kind of stretch in there but another fun thing I thought of is basically what happens if you go to the Yankees game broadcasting a whole bunch of times that the Red Sox are gonna win or Yankees suck I mean you know if take your way or here saying that VIMS better than Emax but anyways now that's you know there's lots of ways to start stuff and unfortunately with something like this eventually people are going to use it to basically broadcast spam so this is maybe not right away but eventually
so basically ESP to six sixes are a gateway drug to microcontrollers and possibly some pretty bad decisions depending on what you want to do but right here is the github if you want to
write it down it'll be available Wednesday and if anybody wants has any questions they'll be happy to answer them and go over the code if you want to see any specific spots ahead of time and I really thank you guys for sticking through it and enjoy the rest of the convention guys [Applause]